Tuesday, June 24, 2008

clearing the backlog

well folks, my drafts folder runeth over so i'm going to try and post all (or as many as i can) of the things in it just to get it out mind and off of chest... please bear with me, some of this stuff is going to be pretty old and not necessarily fleshed out to the extent that my normal posts are...

and to start off i'm going to do something completely unlike my normal posts and deal with some emails i received some months back... my apologies for not dealing with these sooner, i put them to the side while i figured out how i should deal with reader emails and then never got back to them... in retrospect i imagine when people send me emails pointing me to stories or blog posts that they're probably doing so because they'd like to see my reaction so to show my belated appreciation for those who cared enough to send such emails i'm going to do a postbag type of post and give some sort of response here...

the first email came from joe hepperle and concerned a page on the web (i won't link to it but i'm sure anyone with even the slightest bit of google-fu can find it) that seems to suggest i'm a pervert... no, it's not true, i'm not a pervert... those who know me well know that i'm about as far from being a pervert as one can be (at least for now, perhaps i'll become more balanced when i get older), and certainly far from the sexual predators the page in question compares me to... i was actually already aware of the page in question as the notorious usenet troll who created it has posted the link in various newsgroups on more than one occasion... as counterpoint to the page i would direct the curious to check out some google searches on the 2 most common variations of his/her pseudonym (pcbutts, pcbutts1) though i would warn against image searching as you may run across images hosted on the troll's domain which are not only not safe for work, they aren't safe for anywhere (that which is seen cannot be unseen)...

the second email comes from andreas clementi which points me to an internet storm center blog entry about a keylogger called 'tiny keylogger 2.0' being missed by av products (i did mention these emails were old, right?)... my abbreviated reaction is similar to a commenter on the same entry - that the keylogger in question is probably greyware and the vendors have either chosen not to bother with it or require you to enable their greyware detection capabilities... on reading the feature list for this keylogger i would tend lean to the former because i find it hard to believe something so lame could be a credible threat to anyone... maybe if it was combined with a RAT in some ad hoc multi-stage attack...

the third email comes from james manning and concerns an article singing the praises of whitelisting over blacklisting... it didn't really seem to me that the article was saying anything that hadn't been said before or that i haven't countered before... in retrospect, however, it should be noted that while the article claims whitelists don't require virus or spyware definition updates, they do require goodware definition updates (basically updates to the whitelist)... furthermore, while i've mentioned before that good software is far more numerous than bad and produced at a far faster rate than bad (thus leading to larger and faster growing signature databases), it turns out that whitelisting companies have a tendency to use blacklist software to keep the bad stuff out of their whitelists... a whitelist based on the complement of a blacklist can be no more accurate than that same blacklist...

the fourth email is also from james and concerns a bit of snake-oil in the form of comodo's promise of a worry-free malware-free pc... it's actually more like a money-back guarantee because comodo were going to cover the cost of recovery when (not if) their product failed to prevent a malware infestation, but either way they're telling the customer that using their product/service means not having to worry about malware anymore and if that's not selling a false sense of security i don't know what is...

the final email is from luke tan and concerns the compromise of both trendand avast sites... i really ought to have posted a heads-up/PSA when he sent me that email (as i have with the others he's sent me), i'm not sure why i didn't (though if memory serves the trend incident was well publicized)... he also asks whether security companies should be embarrassed by such incidents... i don't think they should be, at least not any more than any other company, unless they specialize in web security... security is too big a field to expect anyone or any company to do all parts of it perfectly...